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Abstract 

Satisfiability Modulo Theories (SMT) solvers incorporate decision procedures for theories of data types that com¬ 
monly occur in software. This makes them important tools for automating verification problems. A limitation frequently 
encountered is that verification problems are often not fully expressible in the theories supported natively by the solvers. 

Many solvers allow the specification of application-specific theories as quantified axioms, but their handling is incom¬ 
plete outside of narrow special cases. 

In this work, we show how SMT solvers can be used to obtain complete decision procedures for local theory ex¬ 
tensions, an important class of theories that are decidable using finite instantiation of axioms. We present an algo¬ 
rithm that uses E-matching to generate instances incrementally during the search, significantly reducing the number 
of generated instances compared to eager instantiation strategies. We have used two SMT solvers to implement this 
algorithm and conducted an extensive experimental evaluation on benchmarks derived from verification conditions for 
heap-manipulating programs. We believe that our results are of interest to both the users of SMT solvers as well as their 
developers. 


1 Introduction 

Satisfiability Modulo Theories (SMT) solvers are a cornerstone of today’s verification technology. Common applications 
of SMT include checking verification conditions in deductive verification [14,26], computing program abstractions in 
software model checking [1,9,27], and synthesizing code fragments in software synthesis [5,6]. Ultimately, all these 
tasks can be reduced to satisfiability of formulas in certain first-order theories that model the semantics of prevalent data 
types and software constructs, such as integers, bitvectors, and arrays. The appeal of SMT solvers is that they implement 
decision procedures for efficiently reasoning about formulas in these theories. Thus, they can often be used off the shelf 
as automated back-end solvers in verification tools. 

Some verification tasks involve reasoning about universally quantified formulas, which goes beyond the capabilities 
of the solvers’ core decision procedures. Typical examples include verification of programs with complex data structures 
and concurrency, yielding formulas that quantify over unbounded sets of memory locations or thread identifiers. From 
a logical perspective, these quantified formulas can be thought of as axioms of application-specific theories. In practice, 
such theories often remain within decidable fragments of first-order logic [2,7,9,23]. However, their narrow scope (which 
is typically restricted to a specific program) does not justify the implementation of a dedicated decision procedure inside 
the SMT solver. Instead, many solvers allow theory axioms to be specified directly in the input constraints. The solver 
then provides a quantifier module that is designed to heuristically instantiate these axioms. These heuristics are in general 
incomplete and the user is given little control over the instance generation. Thus, even if there exists a finite instantiation 
strategy that yields a decision procedure for a specific set of axioms, the communication of strategies and tactics to 
SMT solvers is a challenge [12]. Further, the user cannot communicate the completeness of such a strategy. In this 
situation, the user is left with two alternatives: either she gives up on completeness, which may lead to usability issues 
in the verification tool, or she implements her own instantiation engine as a preprocessor to the SMT solver, leading to 
duplication of effort and reduced solver performance. 
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The contributions of this paper are two-fold. First, we provide a better understanding of how complete decision 
procedures for application-specific theories can be realized with the quantifier modules that are implemented in SMT 
solvers. Second, we explore several extensions of the capabilities of these modules to better serve the needs of verification 
tool developers. The focus of our exploration is on local theory extensions [21,36]. A theory extension extends a given 
base theory with additional symbols and axioms. Local theory extensions are a class of such extensions that can be 
decided using finite quantifier instantiation of the extension axioms. This class is attractive because it is characterized by 
proof and model-theoretic properties that abstract from the intricacies of specific quantifier instantiation techniques [15, 
20, 36]. Also, many well-known theories that are important in verification but not commonly supported by SMT solvers 
are in fact local theory extensions, even if they have not been presented as such in the literature. Examples include the 
array property fragment [8], the theory of reachability in linked lists [25, 32], and the theories of finite sets [39] and 
multisets [38]. 

We present a general decision procedure for local theory extensions that relies on E-matching, one of the core com¬ 
ponents of the quantifier modules in SMT solvers. We have implemented our decision procedure using the SMT solvers 
CVC4 [3] and Z3 [11] and applied it to a large set of SMT benchmarks coming from the deductive software verification 
tool GRASShopper [29,31]. These benchmarks use a hierarchical combination of local theory extensions to encode 
verification conditions that express correctness properties of programs manipulating complex heap-allocated data struc¬ 
tures. Guided by our experiments, we developed generic optimizations in CVC4 that improve the performance of our 
base-line decision procedure. Some of these optimizations required us to implement extensions in the solver’s quantifier 
module. We believe that our results are of interest to both the users of SMT solvers as well as their developers. Eor 
users we provide simple ways of realizing complete decision procedures for application-specific theories with today’s 
SMT solvers. Eor developers we provide interesting insights that can help them further improve the completeness and 
performance of today’s quantifier instantiation modules. 

Related work. Sofronie-Stokkermans [36] introduced local theory extensions as a generalization of locality in equa- 
tional theories [15, 18]. Eurther generalizations include Psi-local theories [21], which can describe arbitrary theory 
extensions that admit finite quantifier instantiation. The formalization of our algorithm targets local theory extensions, 
but we briefly describe how it can be generalized to handle Psi-locality. The original decision procedure for local theory 
extensions presented in [36], which is implemented in H-Pilot [22], eagerly generates all instances of extension axioms 
upfront, before the base theory solver is called. As we show in our experiments, eager instantiation is prohibitively ex¬ 
pensive for many local theory extensions that are of interest in verification because it results in a high degree polynomial 
blowup in the problem size. 

In [24], Swen Jacobs proposed an incremental instantiation algorithm for local theory extensions. The algorithm is 
a variant of model-based quantifier instantiation (MBQI). It uses the base theory solver to incrementally generate partial 
models from which relevant axiom instances are extracted. The algorithm was implemented as a plug-in to Z3 and 
experiments showed that it helps to reduce the overall number of axiom instances that need to be considered. However, 
the benchmarks were artificially generated. Jacob’s algorithm is orthogonal to ours as the focus of this paper is on how 
to use SMT solvers for deciding local theory extensions without adding new substantial functionality to the solvers. A 
combination with this approach is feasible as we discuss in more detail below. 

Other variants of MBQI include its use in the context of finite model finding [33], and the algorithm described in [17], 
which is implemented in Z3. This algorithm is complete for the so-called almost uninterpreted fragment of first-order 
logic. While this fragment is not sufficiently expressive for the local theory extensions that appear in our benchmarks, it 
includes important fragments such as Effectively Propositional Logic (EPR). In fact, we have also experimented with a 
hybrid approach that uses our E-matching-based algorithm to reduce the benchmarks first to EPR and then solves them 
with Z3’s MBQI algorithm. 

E-matching was first described in [28], and since has been implemented in various SMT solvers [10,16]. In practice, 
user-provided triggers can be given as hints for finer grained control over quantifier instantiations in these implemen¬ 
tations. More recent work [13] has made progress towards formalizing the semantics of triggers for the purposes of 
specifying decision procedures for a number of theories. A more general but incomplete technique [34] addresses the 
prohibitively large number of instantiations produced by E-matching by prioritizing instantiations that lead to ground 
conflicts. 


2 Example 

We start our discussion with a simple example that illustrates the basic idea behind local theory extensions. Consider the 
following set of ground literals 

G = {a + b=l,fia)+f{b) = 0}. 
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We interpret G in the theory of linear integer arithmetic and a monotonically increasing function / : Z —> Z. One 
satisfying assignment for G is: 

a = 0 , 6 = 1 , f{x) = {—1 if X < 0,1 if X > 0 }. ( 1 ) 


We now explain how we can use an SMT solver to conclude that G is indeed satisfiable in the above theory. 

SMT solvers commonly provide inbuilt decision procedures for common theories such as the theory of linear integer 
arithmetic (LIA) and the theory of equality over uninterpreted functions (UF). However, they do not natively support the 
theory of monotone functions. The standard way to enforce / to be monotonic is to axiomatize this property, 


K = 'ix,y.x <y /(x) < /(y), (2) 

and then let the SMT solver check if G U {iT} is satisfiable via a reduction to its natively supported theories. In our 
example, the reduction target is the combination of LIA and UF, which we refer to as the base theory, denoted by To- We 
refer to the axiom Tf as a theory extension of the base theory and to the function symbol / as an extension symbol. 

Most SMT solvers divide the work of deciding ground formulas G in a base theory To and axioms K, of theory 
extensions between different modules. A quantifier module looks for substitutions to the variables within an axiom K, x 
and y, to some ground terms, G and t 2 . We denote such a substitution as a = {x i—t ti,y i—t ^ 2 } and the instance of an 
axiom K with respect to this substitution as Ka. The quantifier module iteratively adds the generated ground instances 
Ka as lemmas to G until the base theory solver derives a contradiction. However, if G is satisfiable, as in our case, then 
the quantifier module does not know when to stop generating instances of K, and the solver may diverge, effectively 
enumerating an infinite model of G. 

For a local theory extension, we can syntactically restrict the instances Ka that need to be considered before con¬ 
cluding that G is satisfiable to a finite set of candidates. More precisely, a theory extension is called local if in order to 
decide satisfiability of G U {Tf}, it is sufficient to consider only those instances Ka in which all ground terms already 
occur in G and K. The monotonicity axiom Tf is a local theory extension of To- The local instances of K and G are: 


Kai = a<b ^ f{a) < f{b) 
Ka 2 = b<a^ f{b) < f{a) 
Kas = a< a /(a) < /(a) 
Ka^ = b<b f{b) < f{b) 


where ai = {x 1 -^ a,y 1 -^ 6 }, 
where a 2 = {x 1 -^ b,y 1 -^ a}, 
where CT 3 = {x a, y !->■ a}, and 

where 0-4 = {x 5, ?/ 1 —>■ b}. 


Note that we do not need to instantiate x and y with other ground terms in G, such as 0 and 1. Adding the above instances 
to G yields 

G' = GU{KauKa2,Ka3,Kai}. 

which is satisfiable in the base theory. Since AT is a local theory extension, we can immediately conclude that GU {K} 
is also satisfiable. 


Recognizing Local Theory Extensions. There are two useful characterizations of local theory extensions that can help 
users of SMT solvers in designing axiomatization that are local. The first one is model-theoretic [15,36]. Consider again 
the set of ground clauses G'. When checking satisfiability of G' in the base theory, the SMT solver may produce the 
following model: 

a = 0, 6 = 1, /(x) = { — 1 if X = 0, 1 if X = 1, -1 otherwise}. (3) 

This is not a model of the original G U {K}. However, if we restrict the interpretation of the extension symbol / in this 
model to the ground terms in G U {K}, we obtain the partial model 

a = 0, 6 = 1, fix) = { — 1 if X = 0, 1 if X = 1, undefined otherwise}. (4) 

This partial model can now be embedded into the model (1) of the theory extension. If such embeddings of partial models 
of G' to total models of G U {AT} always exist for all sets of ground literals G, then AT is a local theory extension of Tq. 
The second characterization of local theory extensions is proof-theoretic and states that a set of axioms is a local theory 
extension if it is saturated under (ordered) resolution [4]. This characterization can be used to automatically compute 
local theory extensions from non-local ones [20]. 

Note that the locality property depends both on the base theory as well as the specific axiomatization of the theory 
extension. For example, the following axiomatization of a monotone function / over the integers, which is logically 
equivalent to equation (2) in To, is not local: 

AT = Vx. fix) < fix + 1) . 
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Similarly, if we replace all inequalities in equation (2) by strict inequalities, then the extension is no longer local for the 
base theory To- However, if we replace To by a theory in which < is a dense order (such as in linear real arithmetic), then 
the strict version of the monotonicity axiom is again a local theory extension. 

In the next two sections, we show how we can use the existing technology implemented in quantifier modules of 
SMT solvers to decide local theory extensions. In particular, we show how E-matching can be used to further reduce the 
number of axiom instances that need to be considered before we can conclude that a given set of ground literals G is 
satisfiable. 


3 Preliminaries 

Sorted first-order logic. We present our problem in sorted first-order logic with equality. A signature E is a tuple 
(Sorts, H, n), where Sorts is a countable set of sorts and H and H are countable sets of function and predicate symbols, 
respectively. Each function symbol / S H has an associated arity n > 0 and associated sort Si x • • • x > sq with 
Si G Sorts for all i < n. Eunction symbols of arity 0 are called constant symbols. Similarly, predicate symbols P G If 
have an arity n > 0 and sort si x • • • x s„. We assume dedicated equality symbols Wg G H with the sort s x s for all sorts 
s G Sorts, though we typically drop the explicit subscript. Terms are built from the function symbols in fl and (sorted) 
variables taken from a countably infinite set X that is disjoint from fl. We denote by t : s that term t has sort s. 

A E-atom A is of the form P(fi,..., tn) where P G If is a predicate symbol of sort si x • • • x s„ and the ti are 
terms with ti : Si. A Ti-fonnula F is either a E-atom A, ^Pi, Pi A P 2 , Pi V P 2 , or \/x : s.Pi where Pi and P 2 are 
E-formulas. A T,-literal L is either A or -^A for a E-atom A. A 'E-clause C is a disjunction of E-literals. A E-term, 
atom, or formula is said to be ground, if no variable appears in it. Eor a set of formulas 1C, we denote by st(/C) the set of 
all ground sub terms that appear in JC. 

A E-sentence is a E-formula with no free variables where the free variables of a formula are defined in the standard 
fashion. We typically omit E if it is clear from the context. 

Structures. Given a signature E = (Sorts, H, H), a E-structure M is a function that maps each sort s G Sorts to a non¬ 
empty set M{s), each function symbol f G Cl of sort si x • • • x —>■ sq to a function M{f) : M{si) x • • • x AI{sn) -G 
M{so), and each predicate symbol P G If of sort si x • • • x s„ to a relation M(si) x • • • x M{sn)- We assume that 
all structures M interpret each symbol ~s by the equality relation on M{s). Eor a E-structure M where E extends a 
signature Eg with additional sorts and function symbols, we write M|so for the Eg-structure obtained by restricting M 
to Eg. 

Given a structure M and a variable assignment u : X —>■ M, the evaluation of a term t in M, u is defined as 
usual. Eor a structure M and an atom A of the form P(fi, ... ,tn), (M, u) satisfies A iff ,..., G M(P). This 
is written as (M, u) |= A. Erom this satisfaction relation of atoms and E-structures, we can derive the standard notions 
of the satisfiability of a formula, satisfying a set of formulas (M, u) |= {P^}, validity |= P, and entailment Pi ^ P 2 . If 
a E-structure M satisfies a E-sentence P, we call M a model of P. 

Theories and theory extensions. A theory T over signature E is a set of E-structures. We call a E-sentence K an 
axiom if it is the universal closure of a E-clause, and we denote a set of E-axioms as K.. We consider theories T defined 
as a class of E-structures that are models of a given set of E-sentences JC. 

Let Eg = (SortSg, Hg, n) be a signature and assume that the signature Ei = (SortSg U SortSe, Hg U Hg, H) extends 
Eg by new sorts SortSg and function symbols fig. We call the elements of Hg extension symbols and terms starting with 
extension symbols extension terms. Given a Eg-theory Tg and Ei-axioms /Cg, we call (Tg, /Cg, Ti) the theory extension 
of Tg with /Cg, where Ti is the set of all Ei-structures M that are models of Pg and whose reducts are in Tg. We 
often identify the theory extension with the theory Ti. 

4 Problem 

We formally define the problem of satisfiability modulo theory and the notion of local theory extensions in this section. 

Let T be a theory over signature E. Given a E-formula (j), we say (j) is satisfiable modulo T if there exists a structure 
M in T and an assignment u of the variables in (p such that (M, u) |= p. We define the ground satisfiability modulo 
theory problem as the corresponding decision problem for quantifier-free formulas. 

Problem 1 (Ground satisfiability problem for E-theory T). input: A quantifier-free E-formula (f>. 

output: sat if is satisfiable modulo T, unsat otherwise. 
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We say the satisfiability problem for T is decidable if there exists a procedure for the above problem which always 
terminates with sat or unsat. We write entailment modulo a theory as (j) \=j- ip. 

We say an axiom of a theory extension is linear if all the variables occur under at most one extension term. We say 
it is flat if there there is no nesting of terms containing variables. It is easy to linearize and flatten the axioms by using 
additional variables and equality. As an example, Vx-cp with f{x) and f{g{x)) as terms in F may be written as 

flxyz.x ~ y /\ z K, gijj) F' 

where F' is obtained from F by replacing f{g{x)) with f{z). For the remainder of the paper, we assume that all 
extension axioms ICe are flat and linear. For the simplicity of the presentation, we assume that if a variable appears below 
a function symbol then that symbol must be an extension symbol. 

Definition 2 (Local theory extensions). A theory extension (7o,/Ce,7i) is local if for any set of ground Yii-literals G: 
G is satisflable modulo 7i if and only if G U ICffG] is satisflable modulo To extended with free function symbols. Here 
/Ce[G] is the set of instances of ICe where the subterms of the instantiation are all subterms of G or ICe (in other words, 
they do not introduce new terms). 

For simplicity, in the rest of this paper, we work with theories To which have decision procedures for not just To but 
also To extended with free function symbols. Thus, we sometimes talk of satisfiability of a Si-formula with respect a 
Eo-theory To, to mean satisfiability in the To with the extension symbols in Ei treated as free function symbols. In terms 
of SMT, we only talk of extensions of theories containing uninterpreted functions (UF). 

A naive decision procedure for ground SMT of a local theory extension Ti is thus to generate all possible instances 
of the axioms ICe that do not introduce new ground terms, thereby reducing to the ground SMT problem of To extended 
with free functions. 

Hierarchical extensions. Note that local theory extensions can be stacked to form hierarchies 

((...((ro,/Ci,ri),/C2,r2),...),/c„,r„). 

Such a hierarchical arrangement of extension axioms is often useful to modularize locality proofs. In such cases, the 
condition that variables are only allowed to occur below extension symbols (of the current extension) can be relaxed 
to any extension symbol of the current level or below. The resulting theory extension can be decided by composing 
procedures for the individual extensions. Alternatively, one can use a monolithic decision procedure for the resulting 
theory Tn, which can also be viewed as a single local theory extension {To,ICi U • • • U ICn,Tn). In our experimental 
evaluation, which involved hierarchical extensions, we followed the latter approach. 


5 Algorithm 

In this section, we describe a decision procedure for a local theory extension, say (To,/Ce,Ti), which can be easily 
implemented in most SMT solvers with quantifier instantiation support. We describe our procedure Tiji as a theory 
module in a typical SMT solver architecture. For simplicity, we separate out the interaction between theory solver and 
core SMT solver. We describe the procedure abstractly as taking as input: 

• the original formula (p, 

• a set of extension axioms ICe, 

• a set of instantiations of axioms that have already been made, Z, and 

• a set of To satisflable ground literals G such that G \= (p A (Aj/,6 Z '*/')> ^nd 

• a set equalities E C G between terms. 

It either returns 

• sat, denoting that G is Ti satisflable; or 

• a new set of instantiations of the axioms, Z'. 
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^TM,ICe.Z,G,E) 

Local variable: Z', initially an empty set. 

1. For each K G JCg- 

(a) Define the set of patterns P to be the function symbols in K containing variables. We observe that because 
the axioms are linear and flat, these patterns are always of the form f{xi ,..., a;„) where / is an extension 
symbol and the Xi are quantified variables. 

(b) Run iB{E,G,P) obtaining substitutions S. Without loss of generality, assume that a G S returned by 
the algorithm are such that st{Ka) C st(G U ICe)- For the special case of the patterns in (a), for any cr 
not respecting the condition there exists one in the equivalence class that respects the condition. Formally, 
Vct.Bct'.ct' cr A st{Ka') C st{G U ICe)- We make this assumption only for simplicity of arguments later 
in the paper. If one uses an E-matching procedure not respecting this constraint, our procedure will still be 
terminating and correct (albeit total number of instantiations suboptimal). 

(c) For each cr S 5, if there exists no Ka' in Z such that a cr', then add Ka lo Z' as a new instantiation to 
be made. 

2. If Z' is empty, return sat, else return Z'. 


Figure 1: Procedure 'Dji 


For completeness, we describe briefly the way we envisage the interaction mechanism of this module in a DPLL(T) 
SMT solver. Let the input problem be (p. The SAT solver along with the theory solvers for To will find a subset of literals 
G from (j) A {/\^^z '*/') conjunction is satisfiable modulo To. If no such satisfying assignment exists, the 

SMT solver stops with unsat. One can think of G as being simply the literals in p on the SAT solver trail. G will be sent 
to Dji along with information known about equalities between terms. The set Z can be also thought of as internal state 
maintained by the Ti -theory solver module, with new instances Z' sent out as theory lemmas and Z updated to Z U Z' 
after each call to . If Dji returns sat, so does the SMT solver and stops. On the other hand, if it returns a new set of 
instances, the SMT solver continues the search to additionally satisfy these. 

E-matching. In order to describe our procedure, we introduce the well-studied E-matching problem. Given a universally 
quantified E-sentence K, let A'(A') denote the quantified variables. Define a E-substitution cr of iT to be a mapping from 
variables X{K) to E-terms of corresponding sort. Given a E-term p, let pa denote the term obtained by substituting 
variables in p by the substitutions provided in a. Two substitutions cri, a2 with the same domain X are equivalent modulo 
a set of equalities Eif\/xGX.E\= ai{x) « a2{x). We denote this as cti ^e cf 2 - 

Problem 3 (E-matching), input: A set of ground equalities E, a set ofTi-tenns G, and patterns P. 

output: The set of substitutions a over the variables in p, modulo E, such that for all p G P there exists a t G G with 
E \= t rv pa. 

E-matching is a well-studied problem, specifically in the context of SMT. An algorithm for E-matching that is efficient 
and backtrackable is described in [10]. We denote this procedure by €. 

The procedure T)ji{4>,JCe, Z,G,E) is given in Fig. 1. Intuitively, it adds all the new instances along the current 
search path that are required for local theory reasoning as given in Definition 2, but modulo equality. For each axiom 
K in ICe, the algorithm looks for function symbols containing variables. For example, if we think of the monotonicity 
axiom in Sect. 2, these would be the terms f{x) and f{y). These terms serve as patterns for the E-matching procedure. 
Next, with the help of the E-matching algorithm, all new instances are computed (to be more precise, all instances for the 
axiom K in Z which are equivalent modulo ^e skipped). If there are no new instances for any axiom in ICe, and the 
set G of literals implies f, we stop with sat. as effectively we have that G U /Ce[G] is satisfiable modulo Tq. Otherwise, 
we return this set. 

We note that though the algorithm may look inefficient because of the presence of nested loops, keeping track 
of which substitutions have already happened, and which substitutions are new. However, in actual implementations all 
of this is taken care of by the E-matching algorithm. There has been significant research on fast, incremental algorithms 
for E-matching in the context of SMT, and one advantage of our approach is to be able to leverage this work. 

Correctness. The correctness argument relies on two aspects: one, that if the SMT solver says sat (resp. unsat) then f is 
satisfiable (resp. unsatisfiable) modulo Ti, and second, that it terminates. 
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For the case where the output is unsat, the correctness follows from the fact that Z only contains instances of /Ce- 
The sat case is more tricky, but the main idea is that the set of instances made by £> 7 -^ (0, /Ce, Z, G, E) are logically 
equivalent to ICe[G]. Thus, when the solver stops, G U lCe[G] is satisfiable modulo To- As a consequence, G is satisfiable 
modulo Ti- Since G ^ (/>, we have that </> is satisfiable modulo 71- 

The termination relies on the fact that the instantiations returned by procedure £> 7 -^^ {(p, /Ce, Z, G, E) do not add new 
terms, and they are always a subset of JCe[(t>]- Since, JCe[(t>] is finite, eventually £ will stop making new instantiations. 
Assuming that we have a terminating decision procedure for the ground SMT problem of To, we get a terminating 
decision procedure for Ti- 

Theorem 4. An SMT solver with theory module £ 7 -^ is a decision procedure for the satisfiability problem modulo Ti- 

Psi-local theories. We briefly explain how our approach can be extended to the more general notion of Psi-local theory 
extensions [21]. Sometimes, it is not sufficient to consider only local instances of extension axioms to decide satisfiability 
modulo a theory extension. For example, consider the following set of ground literals; 

G = {f{a) = f{b),afb} 

Suppose we interpret G in a theory of an injective function f : S —>■ S with a partial inverse g : S —>■ S for some set S. 
We can axiomatize this theory as a theory extension of the theory of uninterpreted functions using the axiom 

K = yx,y. f{x) = y g{y) = X . 

G is unsatisfiable in the theory extension, but the local instances of K with respect to the ground terms st(G) = 
{a, b, f{a), f{b)} are insufficient to yield a contradiction in the base theory. However, if we consider the local instances 
with respect to the larger set of ground terms 

T'(st(G)) = {a,bj{a),fib),g{f{a)),g{f{b))}, 

then we obtain, among others, the instances 

/(«) = f{b) 9 if{b)) = a and f{b) = f{a) g{f{a)) = b . 

Together with G, these instances are unsatisfiable in the base theory. 

The set T'(st(G)) is computed as follows: 

T'(st(G)) = st(G) U { g{f{t)) \ t e st(G) } 

It turns out that considering local instances with respect to T'(st(G)) is sufficient to check satisfiability modulo the theory 
extension K for arbitrary sets of ground clauses G. Moreover, T'(st(G)) is always finite. Thus, we still obtain a decision 
procedure for the theory extension via finite instantiation of extension axioms. Psi-local theory extensions formalize this 
idea. In particular, if fir satisfies certain properties including monotonicity and idempotence, one can again provide a 
model-theoretic characterization of completeness in terms of embeddings of partial models. We refer the reader to [21] 
for the technical details. 

To use our algorithm for deciding satisfiability of a set of ground literals G modulo a Psi-local theory extension 
(To,/Ce,Ti), we simply need to add an additional preprocessing step in which we compute fir(st(G)) and define G' = 
G U { instclosure(/) | t G fir(st(G)) } where instclosure is a fresh predicate symbol. Then calling our procedure 
for Ti with G' decides satisfiability of G modulo Ti. 

6 Implementation and Experimental Results 

Benchmarks. We evaluated our techniques on a set of benchmarks generated by the deductive verification tool 
GRASShopper [19]. The benchmarks encode memory safety and functional correctness properties of programs that 
manipulate complex heap-allocated data structures. The programs are written in a type-safe imperative language without 
garbage collection. The tool makes no simplifying assumptions about these programs like acyclicity of heap structures. 

GRASShopper supports mixed specifications in (classical) first-order logic and separation logic (SL) [35]. The tool 
reduces the program and specification to verification conditions that are encoded in a hierarchical combination of (Psi- 
)local theory extensions. This hierarchy of extensions is organized as follows: 
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1. Base theory: at the lowest level we have UFLIA, the theory of uninterpreted functions and linear integer arithmetic, 
which is directly supported by SMT solvers. 

2. GRASS: the first extension layer consists of the theory of graph reachability and stratified sets. This theory is a 
disjoint combination of two local theory extensions: the theory of linked lists with reachability [25] and the theory 
of sets over interpreted elements [39]. 

3. Frame axioms: the second extension layer consists of axioms that encode the frame rule of separation logic. This 
theory extension includes arrays as a subtheory. 

4. Program-specific extensions: The final extension layer consists of a combination of local extensions that encode 
properties specific to the program and data structures under consideration. These include: 

• axioms defining memory footprints of SL specifications, 

• axioms defining structural constraints on the shape of data structures, 

• sorted constraints, and 

• axioms defining partial inverses of certain functions, e.g., to express injectivity of functions and to specify 
the content of data structures. 

We refer the interested reader to [29-31] for further details about the encoding. 

The programs considered include sorting algorithms, common data structure operations, such as inserting and remov¬ 
ing elements, as well as complex operations on abstract data types. Our selection of data structures consists of singly and 
doubly-linked lists, sorted lists, nested linked lists with head pointers, binary search trees, skew heaps, and a union find 
data structure. The input programs comprise 108 procedures with a total of 2000 lines of code, 260 lines of procedure 
contracts and loop invariants, and 250 lines of data structure specifications (including some duplicate specifications that 
could be shared across data structures). The verification of these specifications are reduced by GRASShopper to 816 
SMT queries, each serves as one benchmark in our experiments. 802 benchmarks are unsatisfiable. The remaining 14 
satisfiable benchmarks stem from programs that have bugs in their implementation or specification. All of these are 
genuine bugs that users of GRASShopper made while writing the programs.' We considered several versions of each 
benchmark, which we describe in more detail below. Each of these versions is encoded as an SMT-LIB 2 input file. 
Experimental setup. All experiments were conducted on the StarExec platform [37] with a CPU time limit of one 
hour and a memory limit of 100 GB. We focus on the SMT solvers CVC4 [3] and Z3 [11]^ as both support UFLIA and 
quantifiers via E-matching. This version of CVC4 is a fork of vl.4 with special support for quantifiers.^ 

In order to be able to test our approach with both CVC4 and Z3, wherever possible we transformed the benchmarks 
to simulate our algorithm. We describe these transformations in this paragraph. Eirst, the quantified formulas in the 
benchmarks were linearized and flattened, and annotated with patterns to simulate Step 1(a) of our algorithm (this was 
done by GRASShopper in our experiments, but may also be handled by an SMT solver aware of local theories). Both 
CVC4 and Z3 support using these annotations for controlling instantiations in their E-matching procedures. In order to 
handle Psi-local theories, the additional terms required for completeness were provided as dummy assertions, so that 
these appear as ground terms to the solver. In CVC4, we also made some changes internally so as to treat these assertions 
specially and apply certain additional optimizations which we describe later in this section. 

Experiment 1. Our first experiment aims at comparing the effectiveness of eager instantiation versus incremental 
instantiation up to congruence (as done by E-matching). Eigure 2 charts the number of eager instantiations versus 
the number of E-matching instantiations for each query in a logarithmic plot.^ Points lying on the central line have 
an equal number of instantiations in both series while points lying on the lower line have 10 times as many eager 
instantiations as E-matching instantiations. (The upper line corresponds to j^.) Most benchmarks require substantially 
more eager instantiations. We instrumented GRASShopper to eagerly instantiate all axioms. Subfigure (a) compares 
upfront instantiations with a baseline implementation of our E-matching algorithm. Points along the x-axis required no 
instantiations in CVC4 to conclude unsat. We have plotted the above charts up to lOelO instantiations. There were four 
outlying benchmarks where upfront instantiations had between lOelO and up to 10el4 instances. E-matching had zero 
instantiations for all four. Subfigure (b) compares against an optimized version of our algorithm implemented in CVC4. 
It shows that incremental solving reduces the number of instantiations significantly, often by several orders of magnitude. 
The details of these optimizations are given later in the section. 

Experiment 2. Next, we did a more thorough comparison on running times and number of benchmarks solved for 

*See www.es. nyu.edu/-kshltij /localtheories/ for the programs and benchmarks used. 

^We used the version of Z3 downloaded from the git master branch at http: //z3. codeplex. com on Jan 17, 2015. 

^This version is available at www.github. com/kbansal/CVC4/tree/cavl4-lte-draft. 

^Figure 2 does not include timeouts for CVC4. 
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Figure 2: # of eager instantiations vs. E-matching instantiations inside the solver 
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Table 1: Comparison of solvers on uninstantiated benchmarks (time in sec.) 


uninstantiated benchmarks. These results are in Table 1 . The benchmarks are partitioned according to the types of data 
structures occurring in the programs from which the benchmarks have been generated. Here, “si” stands for singly- 
linked, “dl” for double-linked, and “sis” for sorted singly-linked. The binary search tree, skew heap, and union find 
benchmarks have all been summarized in the “trees” row. The row “soundness” contains unsatisfiable benchmarks that 
come from programs with incorrect code or specifications. These programs manipulate various types of data structures. 
The actual satisfiable queries that reveal the bugs in these programs are summarized in the “sat” row. 

We simulated our algorithm and ran these experiments on both CVC4 (C) and Z3 obtaining similar improvements 
with both. We ran each with three configurations: 

UD Default. For comparison purposes, we ran the solvers with default options. CVC4’s default solver uses an E- 
matching based heuristic instantiation procedure, whereas Z3’s uses both E-matching and model-based quantifier 
instantiation (MBQI). For both of the solvers, the default procedures are incomplete for our benchmarks. 

UL These columns refer to the E-matching based complete procedure for local theory extensions (algorithm in Fig. 1).^ 

ULO Doing instantiations inside the solver instead of upfront, opens the room for optimizations wherein one tries 
some instantiations before others, or reduces the number of instantiations using other heuristics that do not affect 
completeness. The results in these columns show the effect of all such optimizations. 

As noted above, the UL and ULO procedures are both complete, whereas UD is not. This is also reflected in the “sat” 
row in Table 1. Incomplete Instantiation-based procedures cannot hope to answer “sat”. A significant improvement can 

^ The configuration C UL had one memory out on a benchmark in the tree family. 
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Table 2: Comparison of solvers on partially instantiated benchmarks (time in sec.) 


be seen between the UL and ULO columns. The general thrust of the optimizations was to avoid blowup of instantiations 
by doing ground theory checks on a subset of instantiations. Our intuition is that the theory lemmas learned from these 
checks eliminate large parts of the search space before we do further instantiations. 

For example, we used a heuristic for Psi-local theories inspired from the observation that the axioms involving Psi- 
terms are needed mostly for completeness, and that we can prove unsatisfiable without instantiating axioms with these 
terms most of the time. We tried an approach where the instantiations were staged. First, the instantiations were done 
according to the algorithm in Fig. 1 for locality with respect to ground terms from the original query. Only when those 
were saturated, the instantiations for the auxiliary Psi-terms were generated. We found this to be very helpful. Since this 
required non-trivial changes inside the solver, we only implemented this optimization in CVC4; but we think that staging 
instantiations for Psi-local theories is a good strategy in general. 

A second optimization, again with the idea of cutting instantiations, was adding assertions in the benchmarks of the 
form (o = 6) V (a 7 ^ b) where a, b are ground terms. This forces an arbitrary arrangement over the ground terms before 
the instantiation procedure kicks in. Intuitively, the solver first does checks with many terms equal to each other (and 
hence fewer instantiations) eliminating as much of the search space as possible. Only when equality or disequality is 
relevant to the reasoning is the solver forced to instantiate with terms disequal to each other. One may contrast this 
with ideas being used successfully in the care-graph-based theory combination framework in SMT where one needs to 
try all possible arrangements of equalities over terms. It has been observed that equality or disequality is sometimes 
relevant only for a subset of pairs of terms. Whereas in theory combination this idea is used to cut down the number of 
arrangements that need to be considered, we use it to reduce the number of unnecessary instantiations. We found this 
really helped CVC4 on many benchmarks. 

Another optimization was instantiating special cases of the axioms first by enforcing equalities between variables of 
the same sort, before doing a full instantiation. We did this for axioms that yield a particularly large number of instances 
(instantiations growing with the fourth power of the number of ground terms). Again, we believe this could be a good 
heuristic in general. 

Experiment 3. Effective propositional Logic (EPR) is the fragment of hrst order-logic consisting of formulas of the 
shape 3xyy.G with G quantifier-free and where none of the universally quantihed variables y appears below a function 
symbol in G. Theory extensions that fall into EPR are always local. Our third exploration is to see if we can exploit 
dedicated procedures for this fragment when such fragments occur in the benchmarks. Eor the EPR fragment, Z3 has a 
complete decision procedure that uses model-based quantifier instantiation. We therefore implemented a hybrid approach 
wherein we did upfront partial instantiation to the EPR fragment using E-matching with respect to top-level equalities (as 
described in our algorithm). The resulting EPR benchmark is then decided using Z3’s MBQI mode. This approach can 
only be expected to help where there are EPR-like axioms in the benchmarks, and we did have some which were heavier 
on these. We found that on singly linked list and tree benchmarks this hybrid algorithm significantly outperforms all 
other solver configurations that we have tried in our experiments. On the other hand, on nested list benchmarks, which 
make more heavy use of purely equational axioms, this technique does not help compared to only using E-matching 
because the partial instantiation already yields ground formulas. 

The results with our hybrid algorithm are summarized in Column Z3 PM of Table 2. Since EPR is a special case of 
local theories, we also tried our E-matching based algorithm on these benchmarks. We found that the staged instantiation 
improves performance on these as well. The optimization that help on the uninstantiated benchmarks also work here. 
These results are summarized in the same table. 

Overall, our experiments indicate that there is a lot of potential in the design of quantifier modules to further improve 
the performance of SMT solvers, and at the same time make them complete on more expressive decidable fragments. 
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7 Conclusion 


We have presented a new algorithm for deciding local theory extensions, a class of theories that plays an important role in 
verification applications. Our algorithm relies on existing SMT solver technology so that it can be easily implemented in 
today’s solvers. In its simplest form, the algorithm does not require any modifications to the solver itself but only trivial 
syntactic modifications to its input. These are: (1) flattening and linearizing the extension axioms; and (2) adding trigger 
annotations to encode locality constraints for E-matching. In our evaluation we have experimented with different config¬ 
urations of two SMT solvers, implementing a number of optimizations of our base line algorithm. Our results suggest 
interesting directions to further improve the quantifier modules of current SMT solvers, promising better performance 
and usability for applications in automated verification. 
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